Digital Signature Schemes and the Random Oracle Model A. Hülsing

Review provable security of “in use” signature schemes. (PKCS #1 v2.x) Today‘s goal Review provable security of “in use” signature schemes. (PKCS #1 v2.x) 7-11-2018

Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/DSA.jpg 7-11-2018

Existential unforgeability under adaptive chosen message attacks PK, 1n SK 𝑞 𝑠 Mi SIGN (σi, Mi) (σ*, M*) Success if M* ≠ Mi , Ɐ i ∈ [0,q] and Verify(pk,σ*,M*) = Accept 7-11-2018

Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN (σi, Mi) Solution Extract Solution (σ*, M*) 7-11-2018

Why security reductions? Current RSA signature standard so far unbroken Vulnerabilities might exist! (And existed for previous proposals) Might be possible to forge RSA signatures without solving RSA problem or factoring! 7-11-2018

What could possibly go wrong? 7-11-2018

RSA Let (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) be a PPT algorithm that outputs a modulus 𝑵 that is the product of two 𝑘-bit primes (except possibly with negligible probability), along with an integer 𝒆>𝟎 with 𝐠𝐜𝐝⁡(𝒆, 𝝓(𝑵))=𝟏 and an integer 𝒅>𝟎 satisfying 𝒆𝒅 = 𝟏 𝐦𝐨𝐝 𝝓 𝑵 . For any (𝐍,𝐞,𝐝)⟵𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ) and any 𝒚∈ ℤ 𝑵 ∗ we have ( 𝒚 𝒅 ) 𝒆 = 𝒚 𝒅𝒆 = 𝒚 𝒅𝒆 𝐦𝐨𝐝 𝝓 𝑵 = 𝒚 𝟏 =𝒚 𝐦𝐨𝐝 𝑵 7-11-2018

RSA Assumption Definition 1. We say that the RSA problem is hard relative to 𝐆𝐞𝐧𝐑𝐒𝐀 if for all PPT algorithms A, the following is negligible: 𝑷𝒓⁡[(𝑵, 𝒆, 𝒅)←𝐆𝐞𝐧𝐑𝐒𝐀( 𝟏 𝒌 ); 𝒚← ℤ 𝑵 ∗ ; 𝒙←𝑨(𝑵, 𝒆, 𝒚): 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵]. 7-11-2018

A simple RSA Signature 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Return 𝛔=( 𝑴 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑴 7-11-2018

The Blinding Attack Given public key 𝒑𝒌= 𝑵, 𝒆 To create a forgery on any target message 𝑴: Sample random 𝒓∈ ℤ 𝑵 ∗ Ask for signature 𝝈 on 𝒓 𝒆 𝑴 𝐦𝐨𝐝 𝑵 Output forgery (𝑴, 𝝈 𝒓 𝐦𝐨𝐝 𝑵) Recall 𝝈= ( 𝒓 𝒆 𝑴) 𝒅 = 𝒓 𝒆𝒅 𝑴 𝒅 =𝒓 𝑴 𝒅 𝐦𝐨𝐝 𝑵 Hence 𝝈 𝒓 = 𝑴 𝒅 𝐦𝐨𝐝 𝑵 7-11-2018

A slightly better RSA Signature Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → {𝟎,𝟏} 𝒏 for e.g. 𝒏=𝟏𝟔𝟎 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Pad with suff. zeros that (𝟎…𝟎||𝑯 𝑴 )∈ ℤ 𝑵 ∗ Return 𝛔=( (𝟎…𝟎||𝑯 𝑴 ) 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==(𝟎…𝟎||𝑯 𝑴 ) 7-11-2018

Remember Index Calculus? Given public key 𝒑𝒌= 𝑵, 𝒆 Select a bound 𝒚 and let 𝑺=( 𝒑 𝟏 , . . . , 𝒑 𝒍 ) be the list of primes smaller than 𝒚. Find at least 𝒍+𝟏 messages 𝑴 𝒊 such that each (𝟎…𝟎||𝑯 𝑴 𝒊 ) is a product of primes in 𝑺. Express one (𝟎…𝟎||𝑯 𝑴 𝒋 ) as a multiplicative combination of the other (𝟎…𝟎||𝑯 𝑴 𝒊 ) by solving a linear system given by the exponent vectors of the (𝟎…𝟎||𝑯 𝑴 𝒊 ) with respect to the primes in 𝑺. Ask for the signatures on all 𝑴 𝒊 , 𝒊≠𝒋 and forge signature on 𝑴 𝒋 . 7-11-2018

Step 3 Write 𝛍 𝑴 𝒊 =(𝟎…𝟎||𝑯 𝑴 𝒊 ) We can write ∀𝑴 𝒊 ,𝟏≤𝒊≤𝝉: 𝛍 𝑴 𝒊 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝒗 𝒊,𝒋 Associate with 𝛍 𝑴 𝒊 length 𝒍 vector 𝑽 𝒊 𝒗 𝒊,𝟏 𝐦𝐨𝐝 𝒆,…, 𝒗 𝒊,𝒍 𝐦𝐨𝐝 𝒆 𝝉≥𝒍+𝟏 and there are only 𝒍 linearly independent length 𝒍 vectors: We can express one vector as combination of others mod e. Let this be 𝑽 𝝉 = 𝒊=𝟏 𝝉−𝟏 𝜷 𝒊 𝑽 𝒊 +𝒆𝚪 ; 𝐟𝐨𝐫 𝐬𝐨𝐦𝐞 𝚪=( 𝜸 𝟏 ,…, 𝜸 𝒍 ) Hence 𝛍 𝑴 𝝉 = ( 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 ) 𝒆 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝜷 𝒊 7-11-2018

Step 4 Ask for signatures 𝝈 𝒊 = 𝛍 𝑴 𝒊 𝒅 𝐦𝐨𝐝 𝑵 on 𝑴 𝒊 for 𝟏≤𝒊<𝝉 Compute: 𝝈 ∗ = 𝛍 𝑴 𝝉 𝒅 = 𝒋=𝟏 𝒍 𝒑 𝒋 𝜸 𝒋 𝒊=𝟏 𝝉−𝟏 𝛍 𝑴 𝒊 𝒅 𝜷 𝒊 𝐦𝐨𝐝 𝑵 Output forgery (𝝈 ∗ , 𝑴 𝝉 ) 7-11-2018

Summing up Original attack (Misarsky, PKC’98) works even for more complicated paddings (ISO/IEC 9796-2) Attack only works for small n! But using SHA-1 (n=160) the attack takes much less than 𝟐 𝟓𝟎 operations! There are many ways to make mistakes... (Similar attacks apply to encryption!) That‘s why we want security reductions 7-11-2018

The Random Oracle Model 7-11-2018

Reduction Problem Transform Problem PK, 1n 𝑞 𝑠 Mi SIGN Implement SIGN (σi, Mi) Solution Extract Solution (σ*, M*) 7-11-2018

Random Oracle Model (ROM) Idealized Model Perfectly Random Function Mj H(Mj) Mj H(Mj) RO 7-11-2018

How to implement RO? ”Lazy Sampling”: Keep list of (xi, yi) Given Mj, search for xi = Mj If xi = Mj exists, return yi Else sample new y from Domain, using uniform distribution Add (Mj, y) to table Return y RO 7-11-2018

ROM security Take scheme that uses cryptographic hash For proof, replace hash by RO Different flavors: Random function vs. Programmable RO Heuristic security argument Allows to verify construction Worked for ”Natural schemes” so far However: Artificial counter examples exist! 7-11-2018

Full Domain Hash Signature Scheme 7-11-2018

Trapdoor (One-way) Permutation 𝐹 𝑝𝑘,𝑥 =𝜋(𝑥) 𝐹 𝑠𝑘,𝑦 =𝜋 −1 (𝑦) Computing 𝜋 −1 (𝑦) without knowledge of sk computationally hard 7-11-2018

RSA Trapdoor (One-way) Permutation 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 ; 𝒑𝒌= 𝑵, 𝒆 ; 𝒔𝒌=𝒅 𝐹 𝑝𝑘,𝑥 = 𝑥 𝑒 𝑚𝑜𝑑 𝑁 𝐹 𝑠𝑘,𝑦 = 𝑦 𝑑 𝑚𝑜𝑑 𝑁 Computing 𝜋 −1 (𝑦) without knowledge of sk computationally hard if RSA Assumption holds 7-11-2018

Generic FDH: Sign M 𝑦=𝐻(𝑀) 𝜎=𝐹 𝑠𝑘,𝑦 = 𝜋 −1 (𝑦) 𝜎=𝑆𝑖𝑔𝑛 𝑠𝑘,𝑀 = 𝜋 −1 (𝐻 𝑀 ) =𝐹(𝑠𝑘,𝐻 𝑀 ) 7-11-2018

Generic FDH: Verify M 𝑦=𝐻(𝑀) 𝑦 ′ =𝐹 𝑝𝑘,𝜎 =𝜋(𝜎) 𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘,𝑀,𝜎 : 𝑐ℎ𝑒𝑐𝑘 𝑦=𝐻 𝑀 == 𝜋 𝜎 =𝐹 𝑝𝑘,𝜎 = 𝑦 ′ 7-11-2018

RSA-PFDH Randomized FDH Simplified RSA-PSS Standardized in PKCS #1 v2 (slightly different randomization) Tight Reduction from RSA Assumption in ROM 7-11-2018

RSA-PFDH Assume Hashfunction 𝑯: {𝟎,𝟏} ∗ → ℤ 𝑵 ∗ 𝐊𝐞𝐲𝐆𝐞𝐧 𝟏 𝒌 : Run 𝑵, 𝒆, 𝒅 ←𝐆𝐞𝐧𝐑𝐒𝐀 𝟏 𝒌 . Return (𝒑𝒌,𝒔𝒌) with 𝒑𝒌= 𝑵, 𝒆 , 𝒔𝒌=𝒅. 𝐒𝐢𝐠𝐧 𝒔𝒌,𝑴 : Sample 𝒓 $ 𝑼 𝜿 ; Compute 𝐲=𝑯(𝒓||𝑴) Return 𝛔=(𝒓, 𝒚 𝑑 𝐦𝐨𝐝 𝑵) 𝐕𝐞𝐫𝐢𝐟𝐲 𝒑𝒌,𝑴,𝝈 : Return 1 iff 𝝈 𝒆 𝐦𝐨𝐝 𝑵==𝑯(𝒓||𝑴) 7-11-2018

RSA-PFDH Security If the RSA Assumption holds, RSA-PFDH is existentially unforgeable under adaptive chosen message attacks. 7-11-2018

Proof Idea: Show that any forger A against RSA-PFDH can be used to break the RSA Assumption with ~ the same time and success probability. ”Given a forger A against RSA-PFDH with success probability 𝜺, we construct an oracle Machine MA that succeeds with probability 𝜺/𝟒.” 7-11-2018

Reduction 𝑵, 𝒆, 𝒚 Transform Problem pk, 1n Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 7-11-2018

Reduction: Transform Problem 𝑵, 𝒆, 𝒚 𝒑𝒌=(𝑵, 𝒆) Transform Problem pk, 1n 𝑵, 𝒆, 𝒚 Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 7-11-2018

Reduction: Implement SIGN 𝑵, 𝒆, 𝒚 𝒑𝒌=(𝑵, 𝒆) Transform Problem pk, 1n 𝑵, 𝒆, 𝒚 Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 7-11-2018

Implement SIGN – Implement RO Keep table of tripples ( . , . , . ) When A asks for 𝑯(𝒓||𝑴): If there is an entry (𝒓||𝑴, 𝒙, 𝒛) in table, return 𝒛 If list 𝑳 𝑴 already exists, go to 3. Otherwise, choose 𝒒 𝒔 values 𝒓 𝑴,𝟏 ,…, 𝒓 𝑴, 𝒒 𝒔 ← {𝟎,𝟏} 𝜿 and store them in a list 𝑳 𝑴 . If 𝒓∈ 𝑳 𝑴 then let 𝒊 be such that 𝒓= 𝒓 𝑴,𝒊 . Choose random 𝒙 𝑴,𝒊 ∈ ℤ 𝑵 ∗ and return the answer 𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) in the table. If 𝒓∉ 𝑳 𝑴 , choose random 𝒙∈ ℤ 𝑵 ∗ and return the answer 𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵. Store (𝒓||𝑴,𝒙,𝒛) in the table. 7-11-2018

Implement SIGN When A requests some message 𝑴 to be signed for the 𝒊 th time: let 𝒓 𝑴,𝒊 be the 𝒊 th value in 𝑳 𝑴 and compute 𝐳=𝐇( 𝒓 𝑴,𝒊 ||𝑴) using RO. Let (𝒓||𝑴, 𝒙 𝑴,𝒊 ,𝒛) be the corresponding entry in the RO table. Output signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ). 7-11-2018

Observation All SIGN queries can be answered! SIGN queries are answered using hash 𝐇( 𝒓 𝑴,𝒊 | 𝑴 =𝐳= 𝒙 𝑴,𝒊 𝒆 𝐦𝐨𝐝 𝑵 Signature ( 𝒓 𝑴,𝒊 , 𝒙 𝑴,𝒊 ) known by programming RO All other hash queries are answered with 𝐇(𝒓| 𝑴 =𝒛=𝒚 𝒙 𝒆 𝐦𝐨𝐝 𝑵 Signature not known! BUT: Allows to extract solution from forgery! 7-11-2018

Reduction: Extract Solution 𝑵, 𝒆, 𝒚 𝒑𝒌=(𝑵, 𝒆) Transform Problem pk, 1n 𝑞 𝐻 𝑵, 𝒆, 𝒚 𝑞 𝑠 Mi Mj SIGN Implement SIGN (σi, Mi) H(Mj) RO 𝒙: 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 Extract Solution (σ*, M*) 7-11-2018

Reduction: Extract Solution If A outputs a forgery ( 𝑴 ∗ , ( 𝒓 ∗ , 𝝈 ∗ )): If 𝒓 ∗ ∈ 𝑳 𝑴 ∗ abort. Else, let ( 𝒓 ∗ ||𝑴 ∗ , 𝒙,𝒛) be the corresponding entry of the table. Output 𝝈 ∗ 𝒙 𝐦𝐨𝐝 𝑵. Note: 𝝈 ∗ 𝒙 𝒆 = 𝝈 ∗ 𝒆 𝒙 𝒆 = 𝑯 𝒓 ∗ ||𝑴 ∗ 𝒙 𝒆 = 𝒚 𝒙 𝒆 𝒙 𝒆 =𝒚 𝐦𝐨𝐝 𝑵 ⟹ 𝝈 ∗ 𝒙 = 𝒆 𝒚 𝐦𝐨𝐝 𝑵 7-11-2018

Analysis Transform Problem: Implement SIGN / RO: Extract Solution: Succeeds always Generates exactly matching distribution Implement SIGN / RO: Succeeds always (we choose 𝒓) Generates exactly matching distribution: RO: Outputs are uniform in ℤ 𝑵 ∗ SIGN: Follows from RO Extract Solution: Succeeds iff A succeeds AND 𝒓 ∗ ∉ 𝑳 𝑴 ∗ ⇒𝐩=𝐏𝐫 𝒓 ∗ ∉ 𝑳 𝑴 ∗ = (𝟏− 𝟐 −𝜿 ) 𝒒 𝒔 Setting 𝜿= 𝐥𝐨𝐠 𝟐 𝒒 𝒔 : 𝒑≥ 𝟏 𝟒 assuming 𝒒 𝒔 ≥𝟐 7-11-2018

What have we shown? We can turn any forger A against RSA-PFDH with success probability 𝜺 into an algorithm MA that solves the RSA problem with probability 𝜺/𝟒. In reverse: If there exists no algorithm to solve the RSA problem with probability ≥𝜺 then there exists no forger against RSA-PFDH that succeeds with probability ≥𝟒𝜺. As proof is in ROM we have to add ”... As long as the used hash function behaves like a RO.” 7-11-2018

Conclusion Ad Hoc constructions problematic Blinding / Index Calculus Proofs (even in ROM) allow to check construction There is one standardized RSA Sig with proof Similar situation for DSA (ROM proof) 7-11-2018

Thank you! Questions? 7-11-2018